b'                                        Report No. AUD-08-020                                                          September 2008\n\n                                        Independent Evaluation of the FDIC\xe2\x80\x99s\n                                        Information Security Program-2008\nFederal Deposit Insurance Corporation\n\n                                        Audit Results\nWhy We Did The Audit\n                                        In general, with respect to the information technology systems and common controls\nThe FDIC Office of Inspector\n                                        reviewed, KPMG found that the related program and operational controls demonstrated\nGeneral (OIG) contracted with\n                                        effectiveness while management and technical controls warranted management\nKPMG, LLP (KPMG) to\nconduct an independent                  attention. The FDIC continues to build upon its past success in addressing the\nevaluation of the FDIC\xe2\x80\x99s                information security provisions of FISMA and standards and guidelines of the National\ninformation security program            Institute of Standards and Technology. Importantly, the FDIC had established policies\nand practices pursuant to the           and procedures in substantially all of the security control areas KPMG evaluated. The\nFederal Information Security            FDIC had also implemented a number of important security control improvements in\nManagement Act of 2002                  response to KPMG\xe2\x80\x99s 2007 evaluation, such as enhancing its encryption capabilities and\n(FISMA). FISMA requires                 strengthening its corporate privacy program. Additional control improvements were\nfederal agencies, including the         also underway at the close of the audit.\nFDIC, to have an annual                 The above accomplishments were positive. However, KPMG identified a number of\nindependent evaluation                  information security control deficiencies warranting management attention. Of\nperformed of their information          particular note, KPMG identified access control deficiencies within the FDIC\xe2\x80\x99s internal\nsecurity program and practices          network that presented a high risk of unauthorized disclosure of sensitive information\nand to report the results of the        or compromise of IT resources. While the FDIC was taking prompt action to address\nevaluation to the Office of             these access control deficiencies, increased management attention in this area is\nManagement and Budget.\n                                        warranted. The table below presents KPMG\xe2\x80\x99s security program assessment results.\n                                        The report identifies eight steps that the Corporation can take to improve the\nThe objective of the evaluation\n                                        effectiveness of its information security program controls in the areas of Risk\nwas to determine the\n                                        Assessment; Planning; Certification, Accreditation, and Security Assessments; Media\neffectiveness of the FDIC\xe2\x80\x99s\n                                        Protection; Awareness and Training; Identification and Authentication; Access\ninformation security program\nand practices, including the            Control; and Audit and Accountability. In many cases, the FDIC was already working\nFDIC\xe2\x80\x99s compliance with FISMA            to improve security controls in these areas during KPMG\xe2\x80\x99s audit.\nand related information security        Because this report addresses issues associated with information security, we do not\npolicies, procedures, standards         intend to make public release of the specific contents of the report.\nand guidelines.\n                                          KPMG\xe2\x80\x99s Assessment of the FDIC\xe2\x80\x99s Security Program Controls\nBackground                                   Control         Control Families Tested that           Control Families Tested that\n                                              Class           Demonstrated Effectiveness           Warrant Management Attention\nKey to achieving the FDIC\xe2\x80\x99s                                  \xe2\x80\xa2 Information Security\nmission of maintaining stability           Program              Governance\nand public confidence in the                                 \xe2\x80\xa2 Enterprise Architecture\nnation\xe2\x80\x99s financial system is                                                                      \xe2\x80\xa2   Risk Assessment\nsafeguarding the sensitive                                                                        \xe2\x80\xa2   Planning\n                                           Management\ninformation it collects and                                                                       \xe2\x80\xa2   Certification, Accreditation,\n                                                                                                      and Security Assessments\nmanages in its roles as federal\n                                                             \xe2\x80\xa2   Maintenance                      \xe2\x80\xa2   Media Protection\ndeposit insurer of banks and\n                                                             \xe2\x80\xa2   System and Information\nsavings associations and as                Operational           Integrity\nreceiver for failed institutions.                            \xe2\x80\xa2   Incident Response\nEnsuring the integrity,                                      \xe2\x80\xa2   Awareness and Training\navailability, and confidentiality                                                                 \xe2\x80\xa2   Identification and\nof this information in an                  Technical\n                                                                                                      Authentication\nenvironment of increasingly                                                                        \xe2\x80\xa2 Access Control\n                                                                                                   \xe2\x80\xa2 Audit and Accountability\nsophisticated security threats            Source: KPMG\xe2\x80\x99s 2008 audit of the FDIC\xe2\x80\x99s information security program. KPMG did not\nrequires a strong, enterprise-wide        evaluate the following control families: System & Services Acquisition, Contingency Planning,\ninformation security program.             Configuration Management, System and Communication Protection, Personnel Security, and\n                                          Physical and Environmental Protection.\n\x0c'